2018/Berlin/webauthn
WebAuthN as 1FA or 2FA was a session at IndieWebCamp Berlin 2018.
Notes archived from:https://etherpad.indieweb.org/webauthn
IndieWebCamp Berlin 2018
Session: WebAuthN as 1FA or 2FA
When: 2018-11-03 13:15
Participants
- Axel Neuβ¦
- https://joelpurra.com/
- hag.codes
- Jan Diβ¦
- kirill
- Add yourself here⦠(see this for more details)
Notes
- Joel would like to be able to get rid of passwords; using webauthn as a single factor autentication (1FA).
- Was pointed at selfauth and its JS fork
- Wants to get WebAuthn in there
- Joel would also like to use webauthn as the simplest way (if you already have a token) to "register" on a website.
- Just click the button (on the physical token) at the login prompt.
- Identifying as a returning is the same procedure.
- Might need to keep backup authentication methods (additional physical tokens? indieauth? email single-use tokens?) per user, in case the physical token is lost.
- Adding webauthn to indieauth.com might not be a good approach, due to @aaronpk changing project direction.
- Is still open source and self-hostable.
- Some solutions:
- https://github.com/Inklings-io/selfauth
- https://martymcgui.re/2018/03/12/130455/ -> https://glitch.com/~befitting-price
- https://github.com/indieweb/wordpress-indieauth ~ could be used in combination with any other login replacing plugin
- https://github.com/fido-alliance/webauthn-demo
- a demo in NodeJS.
- Has only placeholders for the actual webauthn code, "to be added" during a workshop.
- https://github.com/speakeasyjs/speakeasy
- a general 2f library in NodeJS
- https://github.com/apowers313/webauthn-simple-app
- Should be a working implementation.
- Customizations/configuration/defaults not fully documented? See source code.
- See also other webauthn/fido projects by apowers313.
- Soft tokens VS hardware tokens
- Soft tokens would interface with the same standard, but from computer software rather than USB (or other hardware stacks)
- Can be a bridge between the browser and any (?) other means of authentication.
- Would most likely require the browser to know about the new method, which might not be possible without recompilation (?) or perhaps very low-level plugins.
- It is good to see WebAuthn standard, but who will start using it?
- Google is using it a lot internally
- How can we get more CMS systems to support these systems?
- Plugins to modify or replace login screens?